Part V: Site Maintenance and Management 690 issues that have been reported but remain unfixed. Extensions listed on the Joomla! Extensions Directory include ratings and reviews — read them! Tip Joomla! maintains a Vulnerable Extensions List. You should always check this before making a final decision on the adoption of a particular extension. The list is maintained at http://docs.joomla.org/Vulnerable_Extensions_List . Next, before you install a new extension on a live site, test it locally. Check to make sure it installs cleanly and without error messages. Test all the various functionalities, regardless of whether you intend to use them all. It’s also a good idea to check and see if the extension comes with a README file; if it does, read it! Finally, before installing the new extension on your live site, back up the live site. That way, if a problem occurs you can roll back and restore from the backup. If at some point in time you decide that the extension is no longer necessary and you uninstall it, make sure that the extension has uninstalled cleanly and has not left any files on your server. Often, extensions leave directories and files behind on your server, despite being uninstalled. Keeping Up With Security Notices Things change. New vulnerabilities are discovered and new exploits are created to take advantage of them. Sometimes the rate of change is quite impressive, and it becomes a challenge to keep up and maintain all aspects of your site. The Joomla! Security Strike Team was formed by the commu- nity as an attempt to address the dynamic nature of threats to the Joomla! system. As new issues are discovered, the community reports them to the Strike Team. The team formulates responses, works to learn more and, when needed, get patches out to the users. Keeping up with the announcements from the Joomla! Security Strike Team is one of the ways you can stay informed of important news that may impact your Joomla! site. Important notices are always published on the home page of Joomla.org. In addition, the default Joomla! 1.5.x system includes in the control panel an RSS feed from the Joomla! Security Strike Team, as shown in Figure 25.1. Of course, if you rely on these default notifications, you only discover new alerts when you visit Joomla.org or when you log into your Joomla! installation. If you want more imme- diate notices, then you should consider either subscribing to the RSS feed with a separate news reader or joining the mailing list so that notifications are sent to you by e-mail. The URLs for both services are included in the Table 25.1. Chapter 25: Keeping Your Site Secure and Up to Date 691 FIGURE 25.1 The admin system’s control panel includes by default the Joomla! Security Newsfeed. The channel you prefer to use for alerts is entirely up to you, but the simple fact is that the only way to keep your site secure is to keep it — and its extensions — up to date. When new versions are released, do not delay in upgrading. New releases require immediate action. If you fail to upgrade your site after a security release is announced and your site is subsequently hacked, you really have no one to blame but yourself. The Joomla! team and community have created and maintain a number of useful security resources. Table 25.1 lists the resources. Part V: Site Maintenance and Management 692 TABLE 25.1 Joomla! Security Resources Name of resource URL Security Checklist: Getting Started http://docs.joomla.org/Security_ Checklist_1_-_Getting_Started Security Checklist: Hosting and Server Setup http://docs.joomla.org/Security_ Checklist_2_-_Hosting_and_Server_Setup Security Checklist: Testing and Development http://docs.joomla.org/Security_ Checklist_3_-_Testing_and_Development Security Checklist: Joomla Setup http://docs.joomla.org/Security_ Checklist_4_-_Joomla_Setup Security Checklist: Site Administration http://docs.joomla.org/Security_ Checklist_5_-_Site_Administration Security Checklist: Site Recovery http://docs.joomla.org/Security_ Checklist_6_-_Site_Recovery Joomla Security Strike Team Contact Form http://developer.joomla.org/security/ contact-the-team.html Security and Performance FAQs http://docs.joomla.org/Security_and_ Performance_FAQs Automatic Email Notification System http://feedburner.google.com/fb/a/mail verify?uri=JoomlaSecurityNews Security RSS Feed http://feeds.joomla.org/JoomlaSecurityNews Joomla! 1.5 Security Forum http://forum.joomla.org/viewforum.php?f=432 Vulnerable Extensions List http://docs.joomla.org/Vulnerable_ Extensions_List Security Announcements for Joomla! Developers http://developer.joomla.org/security/news. html Joomla! Developers Security Articles and Tutorials http://developer.joomla.org/security/ articles-tutorials.html Managing Site Maintenance Whenever a new patch or update is released, you need to get it installed on your site without delay. Sometimes, particularly in the case of extensions, the patch can be a small matter; in other cases, particularly in the case of a new version release, installation of the new files can entail a sig- nificant amount of work. In either event, having an established process for dealing with the upgrades is useful as it helps avoid the possibility that you will miss something during the upgrade, only to discover problems later on. Chapter 25: Keeping Your Site Secure and Up to Date 693 Before you begin any significant maintenance process, you should make sure that you have a cur- rent backup of your site. If something goes wrong, you need to be able to roll the site back to the previous version. While it may be time consuming to follow this advice, it is worth it. Trust me, you aren’t doing this for the 99 times out of 100 that you don’t have a problem; you are doing it for the one time that you do! If you are dealing with your personal site this may be simply a matter of inconvenience, but if you are handling a client or an employer’s site, it is unprofessional not to take the appropriate precautions to protect their site and their data. Taking a site offline Prior to undertaking any major upgrade on a live site you should take the site offline, that is, hide it from public view. Joomla! makes it possible to take a site offline with one click, while still retain- ing access to the admin system. After the site is offline, you can perform whatever maintenance you need and check your work prior to putting the site back live. To take your site offline, follow these steps: 1. Log in to the admin system of your site. 2. Access the Global Configuration Manager either by clicking on the Global Configuration icon on the control panel or by clicking on the Global Configuration link under the Site Menu. The Global Configuration Manager loads in your browser, as shown in Figure 25.2. 3. Click the Yes option next to the label Site Offline. 4. Adjust the Offline Message text, if you so desire. 5. Click the Save icon. The system takes the front end of the site offline and displays the Offline Message to site visitors. To put the site back online, follow these steps: 1. Log in to the admin system of your site. 2. Access the Global Configuration Manager by either clicking on the Global Configuration icon on the control panel or by clicking on the Global Configuration link under the Site Menu. The Global Configuration Manager loads in your browser. (Refer to in Figure 25.2). 3. Click the No option next to the label Site Offline. 4. Click the Save icon. The system puts the front end of the site back online. Part V: Site Maintenance and Management 694 FIGURE 25.2 The Site Settings of the Global Configuration Manager. Backing up your site Backing up a Joomla! site involves making copies of the files on the server and the data in your database. A complete backup encompasses both elements. Tip In terms of best practices, it is a good idea to maintain at all times the two most recent full backups of your site. This provides you with protection in the event the most recent backup is corrupted or incomplete. If your site is large, maintaining multiple full backups can take up a lot of space. If space is an issue, then maintain an incremental back-up regimen that backs up only your changed files. The question of how frequently you need to back up your site is best answered with reference to the frequency with which your site changes. If your site changes daily, then perhaps daily backups are in order. If you site changes only sporadically, then weekly backups will probably do the job. Make sure that you don’t keep all your backups in one location. If there is a fire or other problem that results in the loss of one backup, you want to increase your chances that the second copy is Chapter 25: Keeping Your Site Secure and Up to Date 695 protected. If your web hosting contract provides for back-up services, make sure you periodically download the files to keep a copy locally as your failsafe. To make a complete backup of your site, you will need to access the files on the server and make a copy of them. Typically this is done by FTP or through your web hosting control panel’s file man- ager. You also need to use a tool such as phpMyAdmin to make a copy of the database for the site. As an alternative to using multiple tools and doing this manually, you can install additional extensions to your Joomla! site to enable this from within the admin interface. As discussed in Chapter 22, several tools can help you create and manage your backups. Restoring from a backup Manually restoring the files on your server is a simple process; you only need to copy your back- up files onto the server, replacing the files that are there. If you have used full backups this is a one-step process. If you are using incremental backups you, first you need to copy the full backup and then copy the incremental back-up files. Manually restoring your database is slightly more complicated, because you need to use phpMyAdmin to import the back-up files to overwrite the existing database tables. Just like creating back ups, restoring from a back up can be undertaken manually, but the process can be made much simpler through the use of any of several third-party extensions. Tip If you have never tried to restore a site from a backup, I highly recommend that you try the process once before you deploy your site. The process is not difficult, but you don’t want to be doing it for the first time on a live site that you need to get working again! Regaining access to your admin account Sometimes a site administrator loses his password, or a hack attempt results in the loss of the administrator’s password. If you have access to the Password Reset functionality on the Login Form, you can try to use it to get a new password. If that does not work, then you need to go to the database to solve the problem. Although you cannot recover a lost admin password, you can reset it in the database and thereby gain access to the account. Passwords are stored in the database along with the user data. The passwords are not human- readable, because they are stored as MD5 hashed values, as shown in Figure 25.3. Part V: Site Maintenance and Management 696 FIGURE 25.3 The jos_users table, as viewed from phpMyAdmin. Note the password field, showing the password as an MD5 hashed value. By way of example, follow these steps to reset a user’s password to the value “admin”: 1. Use phpMyAdmin to access the database on your server. 2. Select the database for your Joomla! site from the combo box on the left side of the page. The list of database tables in the database is displayed in the left column, below the combo box. 3. Click on the table named jos_users in the list of tables. The users table screen shows on the right side of the page. 4. Click on the Browse button on the top toolbar. The screen shows all of the users that are set up for this site. 5. Find the user whose password you want to change. Click the Edit icon next to the user’s name. The Edit screen is displayed. Chapter 25: Keeping Your Site Secure and Up to Date 697 6. Copy this value exactly: 21232f297a57a5a743894a0e4a801fc3 — this is the MD5 hash value that equates to the string “admin.” Paste this value into the field names password. 7. Click the Go button. phpMyAdmin saves the new value for the password and return you to the users table. The value entered into the password field in the preceding example changes the user’s password to “admin.” The user should now be able to log in to the site by typing their username along with the password “admin.” They should change their password immediately to their preferred value. Upgrading a Joomla! Installation One thing is certain: At some point during the life of your Joomla! site you will find the need to go through the process of upgrading your site. Indeed, odds are you will need to go through this pro- cess numerous times. Accordingly, I recommend that you adopt a process for handling upgrades in order to avoid disruption to the site and downtime. The first step to any upgrade is identifying the version you are currently running, and then identi- fying the proper upgrade package for your installation. To find the version of your current site, fol- low these steps: 1. Log in to the admin system of your site. 2. Access the System Info page by clicking on the System Info link under the Help menu. The System Info page loads in your browser, as shown in Figure 25.4. 3. Look at the line labeled Joomla! Version — this is the version of Joomla! installed on your site. After you know your current version, you can identify and download the proper upgrade package from JoomlaCode.org. Cross-Reference Finding and obtaining the Joomla! core files from JoomlaCode.org is covered in Chapter 2. Next, before you begin the actual upgrade, make a full backup of your existing site. Set this aside in the event that something goes wrong and you need to restore your site. After the backup is done, you can proceed with the actual upgrade process. Part V: Site Maintenance and Management 698 FIGURE 25.4 The System Info page, in this example showing a site with a Joomla! Version 1.5.10 installed. Follow these steps: 1. Unpack the upgrade archive on your local machine. 2. Take your site offline, as discussed earlier in this chapter. 3. Move the files to your server using either FTP or your web hosting control panel’s file manager; note the cautions outlined in the “Upgrade issues” sidebar. 4. If database changes are required, follow the instructions given with the upgrade and make the changes. 5. Test the changes. 6. If all is well, put the site back online, as discussed earlier in this chapter. Tip Official Joomla! upgrade instructions can always be found at http://docs.joomla.org/Upgrade_Instructions. Chapter 25: Keeping Your Site Secure and Up to Date 699 Tip The official Joomla! forums include a section dedicated to Upgrades and Migration. Visit http://forum.joomla.org/viewforum.php?f=430 . Summary In this chapter, we have taken a look at Joomla! security and site maintenance issues. You learned the following: l How to help secure your Joomla! installation l How to back up and restore your site files and database l How to install patches and upgrades to your site Due to the wide variance in systems, servers, and upgrades, you may cover all the various issues that may result in the process of an upgrade. You should take note of the following key issues: l A Joomla! upgrade package will only cover the core files; extensions will need to be upgraded separately. l For complex sites, it is best to test the upgrade first on a local or development installation. If all goes well, then you can roll out the upgrade to the live site. l Installing upgrade files on your server involves overwriting the old files. If you have installed third-party templates and other extensions, take special care you do not erase them! Moreover, if you have modified any of the core files, make certain you have identified the changes so that you can apply the changes to the new files. Upgrade Issues . System http://feedburner.google.com/fb/a/mail verify?uri=JoomlaSecurityNews Security RSS Feed http://feeds .joomla. org/JoomlaSecurityNews Joomla! 1. 5 Security Forum http://forum .joomla. org/viewforum.php?f=432 Vulnerable Extensions List http://docs .joomla. org/Vulnerable_ Extensions_List Security. process. Part V: Site Maintenance and Management 698 FIGURE 25.4 The System Info page, in this example showing a site with a Joomla! Version 1. 5 .10 installed. Follow these steps: 1. Unpack. yourself. The Joomla! team and community have created and maintain a number of useful security resources. Table 25 .1 lists the resources. Part V: Site Maintenance and Management 692 TABLE 25 .1 Joomla!